OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. 能够使本地时间和NTP服务器的时间同步，同时也能使本地时间变成一个NTP服务器，发布给其他用户。

+

NTP servers are classified in a hierarchical system with many levels called ''strata'': the devices which are considered independent time sources are classified as ''stratum 0'' sources; the servers directly connected to ''stratum 0'' devices are classified as ''stratum 1'' sources; servers connected to ''stratum 1'' sources are then classified as ''stratum 2'' sources and so on.

−

OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD Project.

+

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the [http://www.pool.ntp.org/ pool.ntp.org] servers ([http://support.ntp.org/bin/view/Servers/NTPPoolServers alternate link]) and choose the server pool that is closest to your location.

−

OpenNTPD is a brand new implementation of the ntp protocol. 相对于NTPD，OpenNTPD比较容易配置和使用。

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: {{ic|nomodify}} prevents reconfiguring your ntpd (with ''ntpq'' or ''ntpdc''), and {{ic|noquery}} prevents dumping status data from your ntpd (also with ''ntpq'' or ''ntpdc'').

−

# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers

−

servers pool.ntp.org

−

</pre>

−

如果要和特定的服务器时间同步，去掉注释，并把服务器地址替换掉 "ntp.example.org"。

+

你也能添加其它选项：

−

<pre>

−

server ntp.example.org

−

</pre>

−

The "servers" directive works the same as the "server" directive, however, if the dns name resolves to multiple IP address, ALL of them will be synced to. 其实，默认的 "pool.ntp.org"已经可以满足大部分要求了。具体的时间服务器可以到这查看：www.pool.ntp.org/zone/asia

+

restrict default kod nomodify notrap nopeer noquery

−

<pre>

−

pool.ntp.org

−

</pre>

−

Any number of "server" or "servers" directives may be used.

+

{{注意|这会允许其他人查询你的时间服务器。你需要添加 {{ic|noserve}} 来停止提供时间。}}

−

If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive.

The very first line of your ntp.conf file should contain a line such as the following:

+

restrict default kod nomodify notrap nopeer noquery

−

restrict default noquery notrust nomodify

+

restrict -6 default kod nomodify notrap nopeer noquery

−

This essentially restricts everyone from modifying anything. Following this, you need to let ntpd know what you want to let through into your NTP server. Here is where you would specify any other ip addresses you would like to synchronize on your NTP server. For example:

−

−

restrict 1.2.3.4

−

restrict 192.168.0.0 mask 255.255.255.0 nomodify

−

−

This tells ntpd that 1.2.3.4 and all ip addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).

−

−

Now, is where the stratum 2 servers that our server will synchronize with come into play. The lines in ntp.conf will be used to tell ntpd what servers we would like to use for synchronizing (these are just examples; use ntp servers that are closest to your location). Please see http://ntp.isc.org/bin/view/Servers/NTPPoolServers for a list a closer servers.

−

−

<pre>

−

server ntp1.cs.wisc.edu

−

server ntp3.cs.wisc.edu

−

server ntp3.sf-bay.org

−

</pre>

−

−

Unless you have a good reason not to, it is advisable to use the pool.ntp.org servers: http://www.pool.ntp.org/.

−

Alternatively, a list of ntp servers is available at http://www.eecis.udel.edu/~mills/ntp/clock2a.html. Please pay attention to the Access Policies.

−

−

If we left it alone right now, we would never connect to a server because the response from any of the three servers listed above would never be allowed back into our server due to the fact that our default restrict statement would be in use (since we did not add the servers to our lesser restrictions (like we did with 127.0.0.1 and the subnet of 192.168.0.0).

−

−

To correct this, enter the following lines in ntp.conf:

−

−

<pre>

−

restrict ntp1.cs.wisc.edu noquery nomodify

−

restrict ntp3.cs.wisc.edu noquery nomodify

−

restrict ntp3.sf-bay.org noquery nomodify

−

</pre>

−

−

This will allow the response from the above servers into our system so our local clock can be synchronized. The noquery restriction will not allow any of the above three servers to query for information from our server. The nomodify restriction will not allow the three servers to modify anything (synchronization will still take place).

−

−

The only thing left to do is add the drift file (which keeps track of yours clocks time deviation). and the log file location:

−

−

<pre>

−

driftfile /etc/ntp.drift

−

logfile /var/log/ntp.log

−

</pre>

−

−

The complete file will look like this:

−

−

<pre>

−

# default restrictions

−

restrict default noquery notrust nomodify

−

−

# override the default restrictions here

−

restrict 10.1.1.0 mask 255.255.255.0 nomodify

−

−

# public NTP servers to sync with (all stratum 2)

−

server ntp1.cs.wisc.edu

−

server ntp3.cs.wisc.edu

−

server ntp3.sf-bay.org

−

−

restrict ntp1.cs.wisc.edu noquery nomodify

−

restrict ntp3.cs.wisc.edu noquery nomodify

−

restrict ntp3.sf-bay.org noquery nomodify

−

−

# NTP drift file - used to keep track of your system clocks

−

# time deviation

−

driftfile /etc/ntp.drift

−

−

# NTP log file

−

logfile /var/log/ntp.log

−

</pre>

−

−

Take note that this is for a client and a server ntp.conf configuration. If you just want to synchronize with a stratum server and are not concerned with other PCs synchronizing with your ntp server, then you can do something like the following (note that only 127.0.0.1 is allowed to be synchronized):

−

−

<pre>

−

# default restrictions

−

restrict default noquery notrust nomodify

−

−

# Permit all access over the loopback interface

restrict 127.0.0.1

restrict 127.0.0.1

+

restrict -6 ::1

−

# public NTP servers to sync with (all stratum 2)

+

driftfile /var/lib/ntp/ntp.drift

−

server ntp1.cs.wisc.edu

−

server ntp3.cs.wisc.edu

−

server ntp3.sf-bay.org

−

−

restrict ntp1.cs.wisc.edu noquery nomodify

−

restrict ntp3.cs.wisc.edu noquery nomodify

−

restrict ntp3.sf-bay.org noquery nomodify

−

−

# NTP drift file - used to keep track of your system clocks

−

# time deviation

−

driftfile /etc/ntp.drift

−

−

# NTP log file

−

logfile /var/log/ntp.log

−

</pre>

−

−

... or if you don't care about restrictions at all, something like this (note there are no restrictions, thus no need to reduce restrictions for 127.0.0.1 to allow your local clock to synchronize):

−

−

<pre>

−

# public NTP servers to sync with (all stratum 2)

−

server ntp1.cs.wisc.edu

−

server ntp3.cs.wisc.edu

−

server ntp3.sf-bay.org

−

−

# NTP drift file - used to keep track of your system clocks

−

# time deviation

−

driftfile /etc/ntp.drift

−

−

# NTP log file

logfile /var/log/ntp.log

logfile /var/log/ntp.log

−

</pre>

+

}}

−

−

−

'''A''' '''Note''' '''about''' '''Security'''

−

−

You may wonder about all of the restrict lines. The reason for them is security. If you don't want a secure NTP server, don't add any restrict lines to your ntp.conf file. If you want a secure NTP server, start out by adding a default restrict that doesn't allow anything to contact your server, then add more (less restrictive) restrict lines - allowing certain addresses various access privileges.

−

−

−

'''/etc/rc.d/network''' '''file''' '''modification'''

−

One more thing that you may want to do. 大多数情况下， /etc/ntp.conf 会被dhcp重写，为防止发生这情况，编辑 the /etc/conf.d/dhcpcd ， add -N to the line that starts with 'dhcpcd -t 10'.

{{Note|ntpd should still be running when the network is down if the hwclock daemon is disabled, so you should not use this.}}

+

''ntpd'' can be brought up/down along with a network connection through the use of [[NetworkManager#Network Services with NetworkManager Dispatcher|NetworkManager's dispatcher scripts]]. You can install the needed script from [community]:

−

#!/bin/bash

+

{{bc|# pacman -S networkmanager-dispatcher-ntpd}}

−

#

−

# /etc/rc.local: Local multi-user startup script.

−

#

−

−

# Re-copy ntp.conf (was over written by dhcp)

−

cp /root/CONFIG.BAK/ntp.conf.bac /etc/ntp.conf

−

# I advise you keep your desired /etc/ntp.conf

−

# OUTSIDE of /etc

−

−

# Set time

−

/usr/bin/ntpdate ntp.nasa.gov #Use any time server you like here

−

−

# Start ntpd

−

/etc/rc.d/ntpd start

+

===Running in a chroot===

+

{{Note|Before attempting this, complete the previous section on running as non-root, since chroots are relatively useless at securing processes running as root.}}

−

And here is my /root/CONFIG.BAK/ntp.conf.bac (this is just a copy of the desired /etc/ntp.conf)

+

Edit {{ic|/etc/conf.d/ntpd.conf}} and change

+

NTPD_ARGS="-g -u ntp:ntp"

−

# default restrictions

+

to

−

restrict default noquery notrust nomodify

−

−

# override the default restrictions here

−

restrict 127.0.0.1 nomodify

−

restrict 192.168.2.0 mask 255.255.255.0 nomodify

−

−

# public NTP servers to sync with (all stratum 2)

−

server ntp.nasa.gov #Use any time server you like here

−

−

restrict ntp.nasa.gov noquery nomodify

−

−

# NTP drift file - used to keep track of your system clocks

−

driftfile /etc/ntp.drift

−

−

# NTP log file

−

logfile /var/log/ntp.log

+

NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp"

−

Leave /etc/conf.d/dhcpcd at default. Mine is a single line and reads

+

Then, edit {{ic|/etc/ntp.conf}} to change the driftfile path such that it is relative to the chroot directory, rather than to the real system root. Change:

+

driftfile /var/lib/ntp/ntp.drift

−

DHCPCD_ARGS="-t 30 -h $HOSTNAME"

+

to

+

driftfile /ntp.drift

−

With this configuration I get the correct time and ntpd running at boot.

+

Create a suitable chroot environment so that getaddrinfo() will work by creating pertinent directories and files (as root):

Running ''ntpdate'' when you boot up is a good idea because ntpd may take a long time to synchronize your local clock depending on how far off the time is. If your clock is synchronized when ntpd starts, then it's sole purpose is to keep it synchronized. To run ntpd at startup, add ''ntpd'' to the daemons section of the /etc/rc.conf file.

+

{{bc|# rc.d restart ntpd}}

−

ntpd will work well if you have a connection to the internet all the time. If you are using dialup, you may just want to stick with using ntpdate via the command line.

+

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

Available alternative to NTPd are [[Chrony]], a dial-up friendly and specifically designed for systems that are not online all the time, and [[OpenNTPD]], part of the OpenBSD project and currently not maintained for Linux.

−

There is a default restrict statement for the localhost that includes an ignore flag. Without overriding it (adding the line ''restrict'' ''127.0.0.1'') you will not be able to query your NTP server. If that's not a concern to you, then leave out the restrict line for your localhost. You will still be able to synchronize with your stratum 2 servers.

安装

配置

配置连接到 NTP 服务器

在你的 /etc/ntp.conf 配置文件中定义的第一件事是你机器想同步的服务器。

NTP servers are classified in a hierarchical system with many levels called strata: the devices which are considered independent time sources are classified as stratum 0 sources; the servers directly connected to stratum 0 devices are classified as stratum 1 sources; servers connected to stratum 1 sources are then classified as stratum 2 sources and so on.

It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability. Typically, stratum 2 servers are used for general synchronization purposes: if you do not already know the servers you are going to connect to, you should use the pool.ntp.org servers (alternate link) and choose the server pool that is closest to your location.

It is relatively difficult to be sure that your driftfile configuration is actually working without waiting a while, as ntpd does not read or write it very often. If you get it wrong, it will log an error; if you get it right, it will update the timestamp. If you do not see any errors about it after a full day of running, and the timestamp is updated, you should be confident of success.

Alternatives

Available alternative to NTPd are Chrony, a dial-up friendly and specifically designed for systems that are not online all the time, and OpenNTPD, part of the OpenBSD project and currently not maintained for Linux.